Android versions of popular cryptocurrency app Bitcoin Ticker Widget and a seeming clone of Steemit, Steemit Earn Money, included software development kit (SDK) tools that extract extensive data on users in the past and are potentially linked to location tracking code from X-Mode a notorious data tracking company, according to a new report from Express VPN Digital Security Lab. Two other personal finance apps also have been found to contain these data trackers.
“We wanted to say to consumers: ‘This is a huge problem; you may not be aware of it,’” said Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab. “Even though these apps aren't all huge brands, these apps have been downloaded 1.7 billion times, collectively, and millions of times for each individual app. They're running on people's phones in their pockets. People are using them for dating and social and finances but they're not fully aware of the amount of data that’s being scooped up.”
Scooping personal data
While there are many companies that buy and sell access to location data harvested from unsuspecting people’s phones, X-Mode has come under scrutiny after its ties to government contractors and the military were revealed.
In November 2020, Vice reported X-Mode was getting detailed location data back from multiple Muslim prayer apps, then selling that data “to contractors, and by extension, the military.”
This new report, a far more extensive inquiry into this issue, found X-Mode code was in 44% of the 450 apps they analyzed, and those apps had been downloaded at least a billion times.
“These apps are global and include health as well as weather apps, games and makeup photo filters,’ reads the report.
While Steemit Earn Money has only been downloaded about 100 times, Bitcoin Ticker Widget has been downloaded over 1 million times.
In December, Apple and Google told developers to remove X-Mode from their apps or be banned from their app stores, but by the end of January, the report found, many apps have not yet complied, which was confirmed by TechCrunch in at least one case.
Overall, the study examined 450 Android apps for data trackers.
X-Mode’s SDKs and data brokers
SDKs are foundational tools that make it quicker and easier for developers to make apps. That being said, those tools can contain code that isn’t necessary to the core function of an app. This extra code can track location, extract data and generally relay information back to the creator of the SDK. That information can then be shared or sold to be used for a variety of purposes.
When users download an app and accepts its terms of service and privacy policy, they may be inadvertently opting into these forms of data collection, even if they’re not told exactly whose hands the data may end up in. These sorts of practices are common in the world of targeting advertising but, as has been previously documented, data can also end up in the hands of law enforcement (even without a warrant), bounty hunters and others.
“Inside the X-Mode SDK, are code references to five data providers,” said O’Brien. “These are other entities that people loosely called ‘data brokers.’ Sometimes they're doing actual selling of data and sometimes they're not. While it’s somewhat complex, these five entities are basically well-known brands in this location surveillance space.”
“What seems to be occurring because of what's in the code is that these data providers have some sort of business relationship with X-mode, either current or prior,” said O’Brien. “And if they are enabled in these apps, then those providers are also getting some information from the app that has the X-mode SDK.”
OneAudience, Opensignal and location data tracking
OneAudience, included in both Bitcoin Ticker Widget and Steemit Earn Money, was one “data broker” tracker referenced in X-Mode’s code as part of the SDK. It was the subject of a ban and lawsuit by Facebook over data privacy violations because of data OneAudience’s SDK was collecting.
In February 2020 Twitter and Facebook claimed that “OneAudience had been harvesting private data, such as people’s names, genders, emails, usernames and potentially people’s last tweets” to such an extent that it has been compared to the Cambridge Analytica scandal. The SDK was shut down at the end of 2019.
Another data tracker, Opensignal, primarily functions as a WiFi mapper, through which users’ locations can be determined.
In its lawsuit against OneAudience, according to Recode, Facebook argued that “OneAudience also paid apps to harvest users’ Google and Twitter information when they logged into one of the compromised apps using their Google or Twitter account information.”
OneAudience, when shutting down the SDK that was the subject of the lawsuit, said, “We were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used.”
Opensignal’s business model, on the other hand, is primarily dependent upon its Wi-Fi mapping use case.
“‘The question is, how much of the Wi-Fi data are they scooping?”’ asked O’Brien.
In its privacy policy, Opensignal states it gathers geolocation data, “network type, network operator, cellular and WiFi signal strength and quality, and the identifiers of connected cell towers and WiFi routers.”
OneAudience did not respond to a request for comment. Opensignal, in response to a request for comment, directed readers to its Data Privacy Charter.
A 'rich amount' of personal data
Stepping back and looking at the report and network traffic from these apps, O’Brien has two big takeaways when it comes to the impact on your data privacy.
“Usually the data is not being handled very well,” he said. “And there's a rich amount of data that can be used as an identifier for a person that's going through the pipe, even if location is the only named reason the data is being scooped up.”
If you choose to keep using the apps like Bitcoin Ticker Widget and Steemit Earn Money, there are ways to limit their data-tracking capabilities. O’Brien said users should go into settings and check permissions for the app, especially location permissions, and revoke them.
“That may mean the app becomes less functional or displays nagging screens asking for permission,” he said. “Otherwise, unfortunately, the only other step is removing the app. If you’re a California or [European Union] resident, there may be some other steps to take regarding requesting information to be deleted or at least requesting a copy of the information they have.”